How will BSC strive to address frequent DeFi security incidents?

PANews ｜2021-06-09 15:06

BSC is a public permission-less infrastructure, anyone can deploy projects on it, including bad actors and hackers. It is not unusual for DeFi projects to have bugs, and this is not unique to BSC.

Author| Peter Editor | Tong Producer | PANews

In the past month, the crypto market experienced a difficult time. Bitcoin dropped to $30,000, losing half of its peak values and so did the other tokens.Nascent and leading DeFi Projects also followed the bear slip., On June 6th, Debank published a report on how the DeFi TVL on Ethereum public chain was $86.66 billion, and it had dropped by 35% from the peak value of $132.33 billion on May 11th. BSC ecosystem was no exception to this! Defistation data showed that the TVL has dropped to $26.66 billion, reducing by 50% from peak value of $53.6 billion on May 10th. Besides the overall market slump, the frequent security incidents on BSC have also compromised users’ confidence in the DeFi projects building on top of BSC.

BSC mistakenly blamed for DeFi flash loan attacks

On June 5th ,security organization PeckShield sounded the alarm that the first AMM on BSC, BurgerSwap, had encountered flash loan attacks again, only one week after the last one, which happened on May 28th. BurgerSwap encountered the first flash attack with 4400 WBNB (worth $7 million), 1.4 million USDTs and 432,000 BURGERs were stolen. A compensation plan was issued officially to airdrop new token cBURGER to qualified users. One week later, the same project on BSC was attacked again (the same flash loan attack).

According to open statistics from PANews, not only BurgerSwap, many projects on BSC, including Spartan Protocol , PancakeBunny , Bogged Finance , AutoShark, JulSwap and Belt Financealso also encountered flash loan attacks in May on BSC, and the loss of value accounted for 35% of all assets losses due to security issues on BSC.

DeFi users know that flash loans are not tools for bad actors, it is an innovative form of lending in a mortgage-free and vouch-free way. The borrower should pay back the loans and interest before the blockchain transaction completes, if not, the transaction will not be recorded into the block and the lended capital will be returned, just like the lending has never happened. Flash loans leverage the unique features of blockchain technologies to realize something that traditional finance cannot do.

For flash loan platforms such as Uniswap and PancakeSwap, they are lending the capital and receiving both the capital and interests, and they will not interfere with what the capitals are used for during the process. Since the lending smart contract has to be completed in the same lending transaction, the lender has to use other smart contracts to help it conduct immediate transactions with the lending capital before the transaction ends.

Anyone can initiate a flash loan transaction as long as the strategies are applicable at the time. The initiator costs include: gas fees, transaction fees and slippages. Attackers who have spotted the vulnerabilities of the project can provide a huge amount of capital in a very short time as the attack costs, and then leverage the code bugs to attack or to manipulate the price for arbitrage.

Regarding the frequent flash loan attacks, BSC stated how they might have become the target of an organized group of bad actors. For this, BSC called for risk prevention measures for on-chain DApps, and suggested on-chain projects to cooperate with audit companies for health checks. Forked projects should double-check the updates based on the original versions and adopt necessary risk-control measures for real-time monitoring, so that once abnormal conditions occur, the protocol can be paused timely. The project should also make emergency plans to prepare for the worst scenario. When conditions permit, bounty reward plans may be rolled out.

Since quite a few of the DeFi Security incidents happened on BSC, some users have doubts on BSC and even thought that the cause was the security bugs of BSC.

BSC Ecosystem Project Coordinator, Samy K. said, “BSC is a public permission-less infrastructure, anyone can deploy projects on it, including bad actors and hackers. It is not unusual for DeFi projects to have bugs, and this is not unique to BSC.”

Judging from attacks on Dapps, it is hard to come to the conclusion that is happening solely on BSC.. There are a lot of public chains that encounter attacks, and we can not conclude that the whole public chain is not safe just because some projects on it get attacked. Furthermore, dApps are still in the early stage of development and they still need continuous upgrading and evolution in the technology, product and security aspects.

In fact, BSC is facing a higher frequency of attacks because its DeFi ecosystem is getting more prosperous. To some extent, BSC is very similar to Ethereum last year. According to the security incident statistics in 2020 released by PeckShield, there were 60 DeFi security accidents on Ethereum, causing over $250 million of loss, much higher than the statistics in 2019. And flash loan attacks remain the No.1 cause of security issues and the reentrancy attack.

BSC’s growth has attracted more hackers

BSC has become a key attack target due to the prosperity of its ecosystem.

In fact, as early as in 2019, Binance launched the first public chain (Binance Chain), which is also of high throughput. However, due to lack of support for virtual machines and smart contracts, Binance Chain was used for the operation of Binance DEX and some other native DApps.

In 2020, Binance Chain’s community members launched BSC, which is EVM-compatible and supports smart contract. It is easy for developers to migrate their DApps on Ethereum to BSC, only requiring minimal configuration to avoid the high transaction costs on Ethereum.

Since the beginning of this year, BSC has seen significant growth from on-chain project ecosystem to user volume and user activity, showing more of its strength. According to bscproject data, by June 6th the BSC ecosystem covers DeFi, NFTs, tools and infrastructures, with 637 projects and 76,468,636 on-chain addresses; the daily transaction volume on BSC reached 4447,832, which is 392% of that on Ethereum, which was only 1134,526. According to CryptoDep data, out of the most active 10 dapps in the last 30 days, 9 were deployed on BSC.

Low gas fees and fast transaction speed significantly improved user experience and thus contributed a lot to the rapid rise of BSC. However, while there are a lot of public chains delivering high performance and low cost, BSC may have a lot more to offer.

The DeFi TVL of BSC has once reached 26%, and is 18.6% now. In terms of DEX 24-hour transaction volume, one of the BSC ecosystem projects PancakeSwap has surpassed top Ethereum projects, such as Uniswap and SushiSwap. PancakeSwap has saw a transaction volume of $156.48 billion in May, accounting for 49% of the total transaction volume on the DEX. Even outside the BSC ecosystem, the leading position of PancakeSwap is hard to shake.

The more prosperous the BSC ecosystem is, the stronger the Matthew effect on on-chain assets aggregation. When there are hundreds of projects with millions of users flooding into the platform, the platform will easily become the target of hackers and fraud attacks. It may also be true that similar to the development of the projects on Ethereum, projects on BSC will become more stable after addressing these security bugs, and the BSC ecosystem will become even more prosperous.

Ensure security and grasp the internal logic of the “lego component” combination

Due to the frequent occurrence of flash loan incidents on BSC, the word “flash loan” has left a negative impression on the community, who might hesitate and stop building on BSC.

PeckShield suggests that before launch, new contracts should go through audits, and pay attention to troubleshooting and identification of bugs in business logic when combining with other DeFi products. Also, work shall be done to introduce circuit breaker mechanism and third-party security threat awareness intelligence and data trend intelligence services to improve the security protection system.

All DeFi protocols are subject to changes. Even if one protocol has been audited multiple times, a slight update will render it useless. Therefore all the things should be done again, even for a slight update.

Besides, developers don’t have to worry too much about the security performance of BSC itself. According to official information, the security of BSC mainly comes from 2 aspects: one is the security of the code, the nodes, and the blockchain itself, the other is the security of the ecosystem.

The BSC blockchain is running on an open-source code, accessible for third parties and the public for auditing. With open-source code, anyone (with required technical knowledge) has the ability to review the code line by line and assess the possible vulnerabilities and threats. The PoSA algorithm built around 21 elected validators prevents individual validators from gaining too much control over the network and abusing the power.

The BSC ecosystem consists of multiple parts and participants, each coming with a different set of threats. There’s code and the algorithm, validators and their hardware, projects building on BSC, and also the individuals using it.

There are many ongoing community-driven efforts aiming to increase the security of the BSC ecosystem and protect the users and their funds & data. Besides, the BSC Core team has established CryptoSafe Alliance with industry-leading security companies for a series of security trainings; preparing for BSC CryptoSafe bounty plan; further enhancing the cooperation with industry security companies to provide more proactive penetration testing to identify issues earlier; BSC has also established BSC SAFU fund/insurance protocol to introduce better infrastructures and services.

As projects are paying more and more attention to security, it is believed that the DeFi attacks BSC will be gradually reduced.